SPAM frauds, fakes, and other MALWARE deliveries - archive

[AplusWebMaster]

FYI...

Virus outbreak in Progress
- http://www.ironport.com/toc/
November 16, 2011

... times are GMT and in 24 hour format
Troj/Agent-UBA 11/15/2011 15:25
Troj/DwnLdr-JME 11/15/2011 13:59
Mal/EncPk-ABA 11/15/2011 10:52 - http://www.threatexpert.com/reports....ge=2&find=zbot *
Troj/FakeAV-ETK 11/15/2011 10:15
W32/Gamarue-C 11/15/2011 06:52
W32/Gamarue-D 11/15/2011 01:09

* http://www.threatexpert.com/reports.aspx?find=zbot&tf=2
11/16/2011 Results 1 - 20 of 38
___

- http://techblog.avira.com/risk-level/en/
2011.11.16 - Malware risk - HIGH

Atlas - summary reports (Past 24 hours)
- http://atlas.arbor.net/summary/attacks
... Sources
- http://atlas.arbor.net/summary/attacks#sources

- http://atlas.arbor.net/summary/botnets
...C&C Servers
- http://atlas.arbor.net/summary/botnets#servers

- http://atlas.arbor.net/summary/fastflux
...Servers
- http://atlas.arbor.net/summary/fastflux#servers
___

- http://tools.cisco.com/security/cent...utbreak.x?i=77

Fake Electronic Payment Cancellation E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=23517
Fake Order Document E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=23854
Fake UPS Shipment Error E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=19743
Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=24212
Fake Missing Tax Document Notification E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=24064
Fake Royal Mail Service Delivery Failure E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=24264
Fake DHL Shipment E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=19661
Malicious UPS Delivery Notification E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=24586
Fake Facebook Profile Image E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=24574

[AplusWebMaster]

FYI...

(Yet another) Virus Outbreak In Progress
- http://www.ironport.com/toc/
November 21, 2011

- http://tools.cisco.com/security/cent...utbreak.x?i=77

Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.com/security/cent...?alertId=24212
"... sample of the e-mail message that is associated with this threat outbreak:
Subject: USPS service. Get your parcel ID92082..."
___

5 Top malicious spam subjects
- http://community.websense.com/blogs/...-subjects.aspx
17 Nov 2011 - "... campaigns are sent in a short period of time, and then disappear for a while. Usually, campaigns will last for about one hour or less, therefore some companies might struggle with blocking these emails. Below are the top 5 campaigns that we've seen over the last several days.
1. ORDERS:
Order N21560 (numbers vary)...
2. TICKETS:
FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE: )
Fwd: Your Flight Order N125-9487755 (numbers vary)...
3. DELIVERY COMPANIES:
USPS Invoice copy ID46298 (numbers vary)
FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
DHL Express Notification for shipment 90176712199 (numbers vary)...
4. Test
... Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked, and also spammers use such techniques to validate an email address.
5. Payment/TAX systems:
FRAUD ALERT for ACH, Your Wire Transfer, Wire transfer rejected, IRS requires new EIN, IRS Tax report..."
(Screenshots and more detail available at the websense URL above.)

[AplusWebMaster]

FYI...

Fake FBI email threatens recipients with jail
- https://www.net-security.org/secworld.php?id=11995
23 November 2011 - "An e-mail purportedly coming from the FBI Anti-Terrorist and Monetary Crimes Division has been hitting inboxes and threatening recipients with jail time if they don't respond, reports Cyberwarzone*.
"We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested and today if you fail to respond back to us with the payment then we would first send a letter to the mayor of the city where you reside and direct them to close your bank account until you have been jailed and all your properties will be confiscated by the fbi," says in the email. "We would also send a letter to the company/agency that you are working for so that they could get you fired until we are through with our investigations because a suspect is not suppose to be working for the government or any private organization."
The crooks continue with the threats, accusing the recipient of being an "internet fraudster"... there is no way that the email is legitimate..."
* http://www.cyberwarzone.com/cyberwar...fficial-notice

[AplusWebMaster]

FYI...

Java attack rolled into Exploit Kits
- https://krebsonsecurity.com/2011/11/...-exploit-kits/
November 28, 2011 - "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools. The exploit attacks a vulnerability* that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update... a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized... the hacker principally responsible for maintaining and selling BlackHole said the new Java exploit was being rolled out for free to existing "license" holders..."
* http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-3544
CVSS v2 Base Score: 10.0 (HIGH)
"... Java SE JDK and JRE 7 and 6 Update 27 and earlier..."

Check your version here: https://www.java.com/en/download/installed.jsp

- https://blogs.technet.com/themes/blo...ate&GroupKeys=
28 Nov 2011 - "... the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits..."
Charted: * https://blogs.technet.com/cfs-filesy...0_5E607283.png

- http://www.darkreading.com/taxonomy/...e/id/232200604
Dec 01, 2011 - "... Metasploit... added a new module for the latest Java attack that abuses a recently patched vulnerability... then was quickly "productized" into a crimeware kit in the underground... the attack also was getting rolled into the BlackHole crimeware kit..."

[AplusWebMaster]

... and of course, we have the obligatory Monday:

Virus Outbreak In Progress
- http://www.ironport.com/toc/
Nov. 28, 2011

- http://tools.cisco.com/security/cent...utbreak.x?i=77

Fake Invoice Document E-mail Msgs... updated November 23, 2011
- http://tools.cisco.com/security/cent...?alertId=24591
Fake United Parcel Service Invoice Notification E-mail Msgs... updated November 23
- http://tools.cisco.com/security/cent...?alertId=24615
Fake Electronic Payment Cancellation E-mail Msgs... updated November 23
- http://tools.cisco.com/security/cent...?alertId=23517
Fake iTunes Gift Certificate E-mail Msgs... updated November 23, 2011
- http://tools.cisco.com/security/cent...?alertId=24604
___

- http://nakedsecurity.sophos.com/2011...email-inboxes/
November 28, 2011

- https://www.examiner.com/homeland-se...oes-a-long-way
November 27, 2011

[AplusWebMaster]

FYI...

Fake -Intuit- online payroll E-mail...
- http://security.intuit.com/alert.php?a=31
Last updated 11/28/2011 - "Customers have reported receiving a fake Intuit Online Payroll Free Trial email... copy of the fake email:
"Dear,
Thank you for choosing the Intuit Online Payroll Free Trial.
Please refer to attached file for detailed information.
During your free trial, you'll discover just how quick and easy it is to run payroll online:
Easy to set up and use
Run payroll anywhere, anytime - 24 hours a day, 7 days a week.
Includes everything from instant paycheck calculations and free direct deposit to electronic tax filing and payments and W-2 forms
Free support by phone or online
Let's set up your account.
Setting up your Intuit Online Payroll account is easy. All you need is your User ID and password to sign in and get started. To make signing in easier in the future, be sure to bookmark this page.
If you have your current payroll information handy, you can even run your payroll today. We're here to help...":

HELP steal your "User ID and password", that is.

[AplusWebMaster]

FYI...

Facebook worm in the Wild...
- http://sunbeltblog.blogspot.com/2011...m-in-wild.html
November 29, 2011 - "... the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to Facebook accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot* of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare. Please keep in mind that securing your information, including your social network credentials, is a must..."
* https://www.csis.dk/images/sn-worm.png

[AplusWebMaster]

FYI...

Cybercrime svcs ramp up - demand from fraudsters ...
- https://www.trusteer.com/blog/cyberc...and-fraudsters
November 30, 2011 - "... recent Trusteer Research has indicated changes in service scope and price due to service convergence and demanding buyers... One-stop-shop - Trusteer Research came across a new group that besides offering infection services (for prices between 0.5 and 4.5 cents for each upload, depending on geography) also provides polymorphic encryption and AV checkers... For Polymorphic encryption of malware instances they charge from $25 to $50 and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for one week and $100 for one month of service... final paid price depends on percentage of infections... Some malware services like AV checking and Encryption are becoming a commodity, driving cybercriminals to consolidate services to stay competitive and introduce new offerings like the Phone Service... advise banks and their online banking users to maintain constant vigilance, apply software updates, maintain an awareness of new threats... complement desktop hygiene solutions like Anti Virus with security controls specifically designed to protect against Financial Malware... Some fraudster groups specialize in infecting hosts with malware, either by creating a botnet of hosts that could be infected at will, or by inserting exploit code to sites and routing victims to these sites to infect them using drive-by-downloads."

- http://krebsonsecurity.com/2011/11/d...-cyber-heists/
November 30, 2011 - "The FBI* is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to detract attention away from simultaneous high-dollar cyber heists. The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves..."
* http://www.fbi.gov/denver/press-rele...shing-campaign

[AplusWebMaster]

FYI...

Cutwail SPAM campaigns lure users to Blackhole Exploit Kit
- http://labs.m86security.com/2011/12/...e-exploit-kit/
December 1st, 2011 - "Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do -not- have malware attachments, instead the payload is delivered via links to malicious code hosted on the web... The message body may look like a legitimate Facebook notification*. However, further inspection reveals the underlying link redirecting to a malicious webpage...
* http://labs.m86security.com/wp-conte...utwailSpam.png
Another campaign spammed out by Cutwail claims to be a flight ticket order. The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image**...
** http://labs.m86security.com/wp-conte...Order-copy.png
... example of the message***
*** http://labs.m86security.com/wp-conte...rScreensho.png
... There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.
> Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”[1]...
[1] http://labs.m86security.com/wp-conte.../11/ACH_HP.gif
... The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications... If you are a system administrator, you may want to block the following exploit kit landing pages.
crredret[dot]ru/main.php
www[dot]btredret[dot]ru/main.php
bqredret[dot]ru/main.php
At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the Bobax spambot on to our vulnerable hosts."

[AplusWebMaster]

FYI...

SSH password brute forcing... on the rise
- https://isc.sans.edu/diary.html?storyid=12133
Last Updated: 2011-12-04 23:26:51 UTC
"... received a report of ongoing SSH account brute forcing against root. This activity has been ongoing for about a week now from various IPs... A review of the DShield data*, shows a spike can easily be observed starting 15 Nov and has been up/down ever since...
* https://isc.sans.edu/diaryimages/SSH_4Dec2011.png
Some Defensive Tips...
- Never allow root to log in, no matter what: always login in as a regular user and then use su/sudo as needed.
- Change port number: why go stand in the line of fire ?
- Disallow password authentication (use keys)
In addition to the above, you should also consider using TCP Wrappers with the SSH service to limit access to only those addresses that need access..."
(More at the first isc URL above.)

Atlas:
- http://atlas.arbor.net/service/tcp/22#attacks

- http://atlas.arbor.net/service/tcp/22#sources